I've updated my macOS from Catalina to Big Sur and since then i also had to upgrade from the VMware fusion 11 to VMware fusion 12.
I've been using expressVPN for couple of months and usually i connect the host machine to the VPN and then i'm also able to have my guest machines under the VPN, but it's happening that now every time i connect to the VPN the guest machines simply can't access the network anymore. Any idea how to solve this issue?
Vmware machines network configurations:
The technical preview resolves the NAT issue for me. I only use the VM as a passthrough for network isolation, so I cannot speak to other compatibilities.
@dlhotka correct. From the release notes, I didn't get the impression from the build that it was a v12 beta: VMware-Fusion-e.x.p-16530630.dmg
Apple has been progressively deprecating 3rd party Kernel Extensions or “kexts” which Fusion needs to run VMs and containers. In order to continue to operate in this model, we’ve re-architected our hypervisor stack to leverage Apple’s native hypervisor APIs, allowing us to run VMs without any kernel extensions.
Currently I am running Big Sur with Cisco Anyconnect 4.9.0443 and Fusion 12.1
To date I have tried the following and have yet to find a working solution -
1. pfctl commands (In my situation they were already established)
sudo pfctl -a com.apple.internet-sharing/shared_v4 -s nat 2>/dev/null
nat on utun6 inet from 172.16.99.0/24 to any -> (utun6:0) extfilter ei
nat on en8 inet from 172.16.99.0/24 to any -> (en8:0) extfilter ei
no nat on bridge100 inet from 172.16.99.1 to 172.16.99.0/24
2. static ip vs dhcp address on VM guest OS.
3. Upgrading to Fusion 12.1
Current network setup -
Vmware - 172.16.99.0/24
Mac (en8) - 192.168.1.0/24
Utun6 (anyconnect) 10.210.170.0/24
I see the packets on the bridge as the 172.16.99.0/24 address going to external addresses or intranet addresses (anyconnect).
With external addresses - On the mac interface en8, the same 172.16.99.0/24 address appears which doesnt look like the pfctl nat is being applied correctly.
With intranet addresses (anyconnect) - On the anyconnect interface there are no packets being seen.
VMware's workaround is to connect the vpn client from the vmware os, and not the host os.
Is there another solution that I have yet to try?
I upgraded to 12.1 and this is what I'm seeing: I have multiple NAT configured VMs. From a completely powered off state, I boot one at a time. NAT interface works for the first NAT interface to come up, but none of the other machines NAT interfaces work. All machines get proper IP association and DHCP. I have to shut down everything, close Fusion, and bring the ONE machine that I want to use back online from powered down state. Hopefully this helps with some diagnostics.
More experimenting. If I create an isolated NAT network for each VM on the host, I can get network to work on each individual VM simultaneously. I don't need the VMs to talk to one another, so this workaround is fine for me, for now.
Similar problem here with Tunnelblick VPN. Switching the VM from NAT to bridged and installing a VPN client inside the VM works.
But having NATed VPN back would be nice for a couple of situations.
macOS Big Sur 11.0.1
I have a simliar issue here.
If VPN is connected on the Host machine, the VM does not have connectivity to it.
Before MacOS Big Sur and VMware Fusion 12 i do not have any issues here.
DNS resolution succeeded / Unfortunately no ICMP or tcp/udp.
ping internalhost.company.local PING internalhost.company.local (10.210.200.69) 56(84) bytes of data. ^C --- internalhost.company.local ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 29ms
ssh internalhost.company.local ssh: connect to host internalhost.company.local port 22: Connection timed out
The "normal internet" connection works ( if no VPN is connected ) with tcp/udp but no ping is possible
ping 18.104.22.168 PING 22.214.171.124 (126.96.36.199) 56(84) bytes of data. ^C --- 188.8.131.52 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 16ms
nc -vz deb.debian.org 443 Connection to deb.debian.org 443 port [tcp/https] succeeded!
Tried also a lot of Network Adapter / configuration but no
The Only way around this issue is to install a VPN Client on the guest and connect directly to the company network... but this should not be the solution.
I just tried something on my system. I have MacOS Big Sur 11.1 and VMWare Fusion 12.1. NAT failed to work after upgrading to Big Sur and Fusion 12. I also have Cisco AnyConnect VPN Client. I uninstalled Cisco AnyConnect and NAT worked fine. I had no problem connection and accessing the internet. I re-installed Cisco Anyconnect and NAT no longer worked.
It is a known issue. From the Knowledge Base of VMware
If the Big Sur host is connected to VPN, then the VM cannot access the same network as that of the host.
Workaround: Connect to the VPN in the VM instead of connecting to the VPN on the host.
I'm at a loss at this point. I may need to investigate another virtualization provider.
I've tried rebuilding the vms, I've tried several guest operating systems. I've tried a fresh host operating system on a separate machine. No complicated VPN, nothing. NAT networking is pretty much broken. It'll work intermittently; I'll pause the guest, I'll restart the hypervisor software, etc. Things will work for a bit, and then nothing.
What worked for me was to create a new network interface and connected through the IKEv2 by manually entering the server address and user info for my VPN. Depending on your VPN you may also be able to download the app and have the setup configured automatically. I'm assuming this works becuase IKEv2 implements NAT traversal.
I'm new to all of this so if someone has a more detailed explanation or can clarify something I may not have please feel free to do so. Hope this helps
I have the same issue once upgrade VMware Fusion 12 and found an solution
- company's VPN, client: Tunnelblick
- has to change the VM network to bridge and connect to VPN inside the guest Windows.
But I found a solution:
- use Viscosity VPN client instead.
- it works now in the guest Windows with "Share with my Mac" network setting. The guest Windows now can use the mac's VPN
Is there an update on this situation? Some situations require me to have the VPN installed on the host. Seems to me that there is a lot of finger pointing. Pro members should be informed of what's really going on. Is it the VPN providers, Apple, or the VMware itself?
VMWare Fusion as of Version 12.x on MacOS Big Sur is just a gigantic waste of money.
My company spends a few thousand EUR each year (whenever a new release comes up) to keep all Mac clients up to date. Yet there is ZERO official support available. VMWare doesn't accept any more support calls via Phone at all and online support portal does not offer VMWare Fusion as a supportable product. So as much as I'd LOVE to open a ticket for this mess, it is simply not possible.
My suggestion, as it worked right away and doesn't cost any money at all, is to use VirtualBox in the future. Ironic, because a few years back, we switched from VirtualBox to VMWare Fusion, because networking was so painful under VirtualBox. How things have changed.
For what it's worth, here are my observations with this mess.
For all configurations, I have selected "NAT" as networking option (allow for my mac (NAT) setting).
Booting Windows VM:
An interface "utun4" appears in my list, with an IP 192.168.16.1. It is the default gw of the VM. But there is no NAT configured on the Mac. What you can do:
1. Check your network interfaces when the VPN tunnel is active (doesn't matter, which vendor. We use "tunnelblick", an openVPN front end)
There should be an interface utunX, where X is some integer, usually between 1 and 10. This should always have the same number when you disable and re-enable the VPN. You might want to check.
2. Check your network interfaces, when the VM is up. There should be another utun interface, untunY with a different, distinct, number. For me it is utun4. Also, check the network associated with your VM. For me it is 192.168.16.0/24, default route 192.168.16.1.
3. On your mac, edit /etc/pf.conf and in between nat.anchor and rdr-anchor add:
nat on utun4 from 192.168.16.0/24 -> (utun4)
4. On your mac, save and flash rules with
sudo pfctl -f /etc/pf.conf
5. Internet/VPN access should work from your VM now.
However, when I start a Linux VM, I don't get a utunY device, I get a bridgeZ (bridge100 in my case), which is NOT a NAT device (Layer 3), but a bridge (Layer 2). In my opinion, this should be a bug, because it explicitly asked for NAT in the configuration. The same bridge appears, when I explicitly select bridge, too. So NAT is completely broken on Ubuntu Linux 20.10 Desktop. A CentOS 7 "minimal" installation, however, works fine and also uses NAT, as configured.
At this point, I give up on VMWare and switch over to VirtualBox, where things all work as expected without any problems. Maybe not paying the VMWare tax for a few years will make up for productivity lost due to VMware not working as it should.